| Subject | Re: [firebird-support] Question: RDB$SYSTEM_FLAG = 0 No Results |
|---|---|
| Author | Mark Rotteveel |
| Post date | 2019-02-28T19:38:37Z |
On 28-2-2019 18:06, Robert Tulloch tultalk@... [firebird-support]
wrote:
SQL injection. You might want to learn how to use parameters to avoid
introducing security issues in your application.
Mark
--
Mark Rotteveel
wrote:
> Fixed:I don't know Delphi, but this looks like something that is vulnerable to
>
> GetUniqueStatisticsStatement.Add(FORMAT('select Cast(%s AS
> varchar(32))AS TABLE_NAME, cast(%s AS varchar(32)) AS INDEX_NAME,
> cast(RDB$STATISTICS as varchar(32)) as RDB$STATISTICS',[tableName,
> indexName]));
> GetUniqueStatisticsStatement.Add('from rdb$indices where
> (RDB$SYSTEM_FLAG is null or RDB$SYSTEM_FLAG = 0 )');
> GetUniqueStatisticsStatement.Add(FORMAT('AND
> RDB$INDICES.RDB$INDEX_NAME = %s',[indexName]));
> GetUniqueStatisticsStatement.Add('ORDER BY RDB$STATISTICS DESC');
>
SQL injection. You might want to learn how to use parameters to avoid
introducing security issues in your application.
Mark
--
Mark Rotteveel